National Consumers League

The #DataInsecurity Digest | Issue 36

Issue 36 | January 5, 2017

#DataInsecurity Digest: Predictions for 2017

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Happy New Year! For the first #DataInsecurity Digest of 2017, we first take a look back at the year that was. Sorry to say, it wasn’t so great, with more than 3.1 billion records affected by data breaches. No major sector was spared. Unfortunately, 2017 isn’t promising to be a whole lot better. Security firms’ new year’s predictions include ransomware attacks on the cloud and the potential for a nation-state cyberattack to make history as the first-ever act of war. In that vein, Sen. McCain (R-AZ) will hold his much-anticipated hearing on Russian attempts to hack the 2016 U.S. presidential election today. Even President-elect Trump seems to be coming around to the threat of data breaches (“No computer is safe”), though his advice for dealing with the threat was unsettlingly antiquated (“Have it sent by courier”).

And now, on to the clips!

-----------------

3.1 billion reasons why 2016 was…not so good. Last year was another record-setter for data insecurity and not in a good way. @LewisMorgan_ took on the unenviable task of totalling up all of the breached records from the reported breaches of 2016 and came to the staggering number of 3.1 billion “as the minimum number of records leaked…not the total.” (Source: IT Governance)

Biggest data breaches of 2016. @IdentityForce gives us one of (if not the) definitive list of 2016’s biggest breaches No sector was spared—government (IRS, DOJ, SF MUNI), healthcare (21st Century Oncology, Premier Healthcare, MedStar Health), and of course, tech (LinkedIn, Yahoo, Yahoo again, Dropbox). Check out the full list for a walk down memory lane. (Source: IdentityForce)

Ominous predictions for 2017. @govcso took a look at several 2017 data security prediction lists created by major security firms so you don’t have to. Some of the more interesting (and by that we mean scary) predictions? “Ransomware will attack the cloud … SSL abuse will lead to increased phishing sites using HTTPS (@Symantec) … Adobe and Apple will outpace Microsoft in terms of platform vulnerability discoveries (@TrendMicro) … Machine learning accelerates social engineering attacks (@McAfee) … The first nation state cyber-attack will be conducted and acknowledged as an act of war (@BeyondTrust)." (Source: Government Technology)

Clapper, Lettre, Rogers set to testify on Russian hacking of election. Sen. McCain’s Senate Armed Service Committee is set to hold its much-anticipated hearing on Russian attempts to influence the U.S. presidential election today. Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers, and Undersecretary of Defense for Intelligence Marcel Lettre are cyber heavyweights scheduled to testify. @jeremyherb and @connorobrienNH write that Sen. McCain and Sen. Lindsey Graham (R-SC) are expected to use the hearing as an opportunity to push for stronger sanctions against Russia in retaliation for the hacking. (Source: Politico)

Pentagon health workers’ personal data found unprotected on the Internet. Sensitive data including names, Social Security numbers, addresses, and salaries of the U.S. military's Special Operations Command (Socom) contracted through Potomac Healthcare were found unprotected on the web over the holiday weekend. The data, which goes back to 1998, was discovered by @VickerySec of @MacKeeper. @BBC reports in a blog post, @VickerySec commented that “the sensitive nature of the information, including security clearances and the deployment locations of staff, would make it very attractive to ‘hostile entities…‘Let's hope that I was the only outsider to come across this gem.’" (Source: BBC)

Breach du jour: Holiday Inn and Holiday Inn Express? IHG Properties has launched an investigation after several reports alleged that a data breach may have compromised customers’ credit and debit card information, particularly at two of its companies, Holiday Inn and Holiday Inn Express. While the investigation continues, IHG is recommending “that individuals closely monitor their payment card account statements” for fraud. (Source: Krebs on Security)

Yahoo breach fallout spikes fear of Russian hackers penetrating a utility company. The Vermont utility company Burlington Electric garnered national attention when it detected malware code in its systems commonly associated with the Russian hacking operation dubbed “Grizzly Steppe.” The code was not used to disrupt operations, but finding the code in a utility system sparked fears of the power grid’s security. @WashingtonPost is now reporting that the alert was set off when an employee logged into their Yahoo account and was brought to a suspicious IP address after Yahoo’s record-setting 1 billion account breach. Because “Yahoo’s mail servers are visited by millions of people each day, the fact that a Burlington Electric employee checking email touched off an alert is not an indication that the Russian government was targeting the utility.” (Source: Washington Post)

Trump: ‘No computer is safe’ Trump raised eyebrows this New Year’s Eve when he commented that if “You want something to really go without detection, write it out and have it sent by courier.” @WashingtonPost notes that Trump’s remarks raised concern amongst cyber security experts who say that “his comments could upend more than a decade of national cybersecurity policy and put both government and private data at risk.” (Source: Washington Post)

Upcoming events

January 12, 2017 - PrivacyCon - Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

May 24, 2017 - Planning for the Future: A Conference About Identity Theft - Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

National Consumers League
Published January 5, 2017